cookbook 'secret', '~> 1.0.0', :supermarket
secret (1) Versions 1.0.0 Follow0
Managing secrets in Chef recipes
cookbook 'secret', '~> 1.0.0'
knife supermarket install secret
knife supermarket download secret
secret cookbook
Managing secrets in Chef recipes.
Usage
secret = ::ChefCookbook::Secret::Helper.new(node)
secret.get('postgres:password:root') # supersecretpassword
Approach
If you use Chef encrypted data bags for storing secrets (passwords, API keys etc.), you might have written some code like this below:
secret_val = data_bag_item(DATA_BAG_NAME, DATA_BAG_ITEM_NAME)[SUBKEY_1][SUBKEY_2][SUBKEY_3]
Assuming you have several servers (Chef nodes) and various environments (development, staging, production), the scheme below is good enough for managing secrets for all assets in one repository:
-
DATA_BAG_NAME
stands for a category. E.g.postgres
for stroring all PostgreSQL server user passwords. -
DATA_BAG_ITEM_NAME
stands for an environment. E.g.staging
. -
SUBKEY_1
(in fact, all top-level keys within JSON associated with a particular data bag item) stands for server (Chef node) FQDN.
With that in mind, the postgres::staging
data bag item JSON will contain the following data:
{
"id": "staging",
"db1.example.com": {
"password": {
"root": "reallystrongpassword1"
}
},
"db2.example.com": {
"password": {
"reallystrongpassword2"
}
}
}
In order to obtain the necessary password while provisioning server db1.example.com
, you can write in your recipe:
postgres_pwd = data_bag_item('postgres', node.chef_environment)[node['automatic']['fqdn']]['password']['root']
secret
cookbook will make the difference:
secret = ::ChefCookbook::Secret::Helper.new(node) # initialize once in a recipe
postgres_pwd = secret.get('postgres:password:root')
You only need to pass DATA_BAG_NAME
and subkeys, excluding environment and FQDN values (they are detected automatically).
Advanced usage
secret_val = secret.get(query, options)
where query
is a string and options
is a Ruby Hash.
default
option
secret.get
will return a default value in case there is no one defined in a data bag item.
required
option
Whether a value must be defined in a data bag item or by a default
option. By default is true
. A provision process will fail if a required
value is not defined in a data bag item and there is no default
value.
item
option
Overrides DATA_BAG_ITEM_NAME
. By default it equals node.chef_environment
.
prefix_fqdn
option
Whether or not prepend server (Chef node) FQDN to the query. By default is true
. When the value is false
, your data bag item JSON should look like this:
{
"id": "staging",
"password": {
"root": "reallystrongpassword1"
}
}
This may be suitable for environments with a single node or several nodes with shared secrets.
Not only can this option be customised in a server.get
call, but it may also be changed globally with node['secret']['prefix_fqdn']
attribute (true
by default).
Examples
val1 = secret.get('postgres:password:user', default: nil)
val2 = secret.get('aws:s3:access_key', prefix_fqdn: false)
License
MIT @ Alexander Pyatkin
Collaborator Number Metric
1.0.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
1.0.0 passed this metric
No Binaries Metric
1.0.0 passed this metric
Publish Metric
1.0.0 passed this metric
Supported Platforms Metric
1.0.0 failed this metric
secret should declare what platform(s) it supports.
Testing File Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.0.0 passed this metric
1.0.0 failed this metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
1.0.0 passed this metric
No Binaries Metric
1.0.0 passed this metric
Publish Metric
1.0.0 passed this metric
Supported Platforms Metric
1.0.0 failed this metric
secret should declare what platform(s) it supports.
Testing File Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.0.0 passed this metric
1.0.0 passed this metric
1.0.0 passed this metric
Publish Metric
1.0.0 passed this metric
Supported Platforms Metric
1.0.0 failed this metric
secret should declare what platform(s) it supports.
Testing File Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.0.0 passed this metric
1.0.0 passed this metric
1.0.0 failed this metric
secret should declare what platform(s) it supports.
Testing File Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.0.0 passed this metric
1.0.0 failed this metric
1.0.0 passed this metric